Summer Special Sales Coupon - 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: c4s55disc

SCS-C01 PDF

$49.5

$109.99

3 Months Free Update

  • Printable Format
  • Value of Money
  • 100% Pass Assurance
  • Verified Answers
  • Researched by Industry Experts
  • Based on Real Exams Scenarios
  • 100% Real Questions

SCS-C01 PDF + Testing Engine

$79.2

$175.99

3 Months Free Update

  • Exam Name: AWS Certified Security - Specialty
  • Last Update: Jun 27, 2022
  • Questions and Answers: 532
  • Free Real Questions Demo
  • Recommended by Industry Experts
  • Best Economical Package
  • Immediate Access

SCS-C01 Engine

$59.4

$131.99

3 Months Free Update

  • Best Testing Engine
  • One Click installation
  • Recommended by Teachers
  • Easy to use
  • 3 Modes of Learning
  • State of Art Technology
  • 100% Real Questions included

SCS-C01 AWS Certified Security - Specialty Questions and Answers

Question # 6

A company has an IAM account and allows a third-party contractor who uses another IAM account, to assume certain IAM roles. The company wants to ensure that IAM roles can be assumed by the contractor only if the contractor has multi-factor authentication enabled on their IAM user accounts

What should the company do to accomplish this?

A)

B)

C)

D)

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 7

A company is designing the securely architecture (or a global latency-sensitive web application it plans to deploy to IAM. A Security Engineer needs to configure a highly available and secure two-tier architecture. The security design must include controls to prevent common attacks such as DDoS, cross-site scripting, and SQL injection.

Which solution meets these requirements?

A.

Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon

CloudFront distribution that uses the ALB as its origin. Create appropriate IAM WAF ACLs and enable them on the CloudFront distribution.

B.

Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate IAM WAF ACLs and enable them on the CloudFront distribution.

C.

Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate IAM WAF ACLs and enable them on the ALB.

D.

Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate IAM WAF ACLs and enable them on the ALB.

Full Access
Question # 8

A Security Engineer is setting up an IAM CloudTrail trail for all regions in an IAM account. For added security, the logs are stored using server-side encryption with IAM KMS-managed keys (SSE-KMS) and have log integrity validation enabled.

While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?

A.

The log files fail integrity validation and automatically are marked as unavailable.

B.

The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.

C.

The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.

D.

An IAM policy applicable to the Security Engineer’s IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket

Full Access
Question # 9

A company is developing a new mobile app for social media sharing. The company's development team has decided to use Amazon S3 to store at media files generated by mobile app users The company wants to allow users to control whether their own tiles are public, private, of shared with other users in their social network

what should the development team do to implement the type of access control with the LEAST administrative effort?

A.

Use individual ACLs on each S3 object.

B.

Use IAM groups tor sharing files between application social network users

C.

Store each user's files in a separate S3 bucket and apery a bucket policy based on the user's sharing settings

D.

Generate presigned UPLs for each file access

Full Access
Question # 10

A company's Security Officer is concerned about the risk of IAM account root user logins and has assigned a Security Engineer to implement a notification solution for near-real-time alerts upon account root user logins.

How should the Security Engineer meet these requirements?

A.

Create a cron job that runs a script lo download the IAM IAM security credentials We. parse the file for account root user logins and email the Security team's distribution 1st

B.

Run IAM CloudTrail logs through Amazon CloudWatch Events to detect account roo4 user logins and trigger an IAM Lambda function to send an Amazon SNS notification to the Security team's distribution list.

C.

Save IAM CloudTrail logs to an Amazon S3 bucket in the Security team's account Process the CloudTrail logs with the Security Engineer's logging solution for account root user logins Send an Amazon SNS notification to the Security team upon encountering the account root user login events

D.

Save VPC Plow Logs to an Amazon S3 bucket in the Security team's account and process the VPC Flow Logs with their logging solutions for account root user logins Send an Amazon SNS notification to the Security team upon encountering the account root user login events

Full Access
Question # 11

A company's information security team want to do near-real-time anomaly detection on Amazon EC2 performance and usage statistics. Log aggregation is the responsibility of a security engineer. To do the study, the Engineer needs gather logs from all of the company's IAM accounts in a single place.

How should the Security Engineer go about doing this?

A.

Log in to each account four times a day and filter the IAM CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.

B.

Set up Amazon CloudWatch to stream data to an Amazon S3 bucket in each source account. Set up bucket replication for each source account into a centralized bucket owned by the Security Engineer.

C.

Set up an IAM Config aggregator to collect IAM configuration data from multiple sources.

D.

Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each account. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer's account.

Full Access
Question # 12

A security engineer need to ensure their company’s uses of IAM meets IAM security best practices. As part of this, the IAM account root user must not be used for daily work. The root user must be monitored for use, and the Security team must be alerted as quickly as possible if the root user is used.

Which solution meets these requirements?

A.

Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification.

B.

Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification logs from S3 and generate notifications using Amazon SNS.

C.

Set up a rule in IAM config to trigger root user events. Trigger an IAM Lambda function and generate notifications using Amazon SNS.

D.

Use Amazon Inspector to monitor the usage of the root user and generate notifications using Amazon SNS

Full Access
Question # 13

A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key.

Which of the following requires the LEAST amount of configuration when implementing this approach?

A.

Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different IAM KMS customer managed key.

B.

Put all the files in the same S3 bucket. Using S3 events as a trigger, write an IAM Lambda function to encrypt each file as it is added using different IAM KMS data keys.

C.

Use the S3 encryption client to encrypt each file individually using S3-generated data keys

D.

Place all the files in the same S3 bucket. Use server-side encryption with IAM KMS-managed keys (SSE-KMS) to encrypt the data

Full Access
Question # 14

A company has a serverless application for internal users deployed on IAM. The application uses IAM Lambda for the front end and for business logic. The Lambda function accesses an Amazon RDS database inside a VPC The company uses IAM Systems Manager Parameter Store for storing database credentials. A recent security review highlighted the following issues

  • The Lambda function has internet access.
  • The relational database is publicly accessible.
  • The database credentials are not stored in an encrypted state.

Which combination of steps should the company take to resolve these security issues? (Select THREE)

A.

Disable public access to the RDS database inside the VPC

B.

Move all the Lambda functions inside the VPC.

C.

Edit the IAM role used by Lambda to restrict internet access.

D.

Create a VPC endpoint for Systems Manager. Store the credentials as a string parameter. Change the parameter type to an advanced parameter.

E.

Edit the IAM role used by RDS to restrict internet access.

F.

Create a VPC endpoint for Systems Manager. Store the credentials as a SecureString parameter.

Full Access
Question # 15

A company's on-premises data center forwards DNS logs to a third-party security incident events management (SIEM) solution that alerts on suspicious behavior. The company wants to introduce a similar capability to its IAM accounts that includes automatic remediation. The company expects to double in size within the next few months.

Which solution meets the company's current and future logging requirements?

A.

Enable Amazon GuardDuty and IAM Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Set up specific rules within Amazon Even;Bridge to trigger an IAM Lambda function for remediation steps.

B.

Ingest all IAM CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Use the current on-premises SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.

C.

Ingest all IAM CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Launch an Amazon EC2 instance and install the current SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.

D.

Enable Amazon GuardDuty and IAM Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Create an IAM Organizations SCP that denies access to certain API calls that are on an ignore list.

Full Access
Question # 16

A website currently runs on Amazon EC2 with mostly static content on the site. Recently, the site was subjected to a DDoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future

What are some ways the Engineer could achieve this? (Select THREE )

A.

Use IAM X-Ray to inspect the traffic going 10 the EC2 instances

B.

Move the state content to Amazon S3 and font this with an Amazon CloudFront distribution

C.

Change the security group configuration to block the source of the attack traffic

D.

Use IAM WAF security rules to inspect the inbound traffic

E.

Use Amazon inspector assessment templates to inspect the inbound traffic

F.

Use Amazon Route 53 to distribute traffic

Full Access
Question # 17

A Security Engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly.

The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the Development team has implemented Application Load Balancers (ALBs) to distribute the load across all web servers. It is a requirement that traffic between the web servers and the internet flow through the virtual security appliance.

The Security Engineer has verified the following:

1. The rule set in the Security Groups is correct

2. The rule set in the network ACLs is correct

3. The rule set in the virtual appliance is correct

Which of the following are other valid items to troubleshoot in this scenario? (Choose two.)

A.

Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.

B.

Verify which Security Group is applied to the particular web server’s elastic network interface (ENI).

C.

Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.

D.

Verify the registered targets in the ALB.

E.

Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.

Full Access
Question # 18

A Security Administrator at a university is configuring a fleet of Amazon EC2 instances. The EC2 instances are shared among students, and non-root SSH access is allowed. The Administrator is concerned about students attacking other IAM account resources by using the EC2 instance metadata service.

What can the Administrator do to protect against this potential attack?

A.

Disable the EC2 instance metadata service.

B.

Log all student SSH interactive session activity.

C.

Implement ip tables-based restrictions on the instances.

D.

Install the Amazon Inspector agent on the instances.

Full Access
Question # 19

A Security Engineer is looking for a way to control access to data that is being encrypted under a CMK. The Engineer is also looking to use additional authenticated data (AAD) to prevent tampering with ciphertext.

Which action would provide the required functionality?

A.

Pass the key alias to IAM KMS when calling Encrypt and Decrypt API actions.

B.

Use IAM policies to restrict access to Encrypt and Decrypt API actions.

C.

Use kms:EncryptionContext as a condition when defining IAM policies for the CMK.

D.

Use key policies to restrict access to the appropriate IAM groups.

Full Access
Question # 20

A company uses SAML federation with IAM Identity and Access Management (IAM) to provide internal users with SSO for their IAM accounts. The company's identity provider certificate was rotated as part of its normal lifecycle. Shortly after, users started receiving the following error when attempting to log in:

"Error: Response Signature Invalid (Service: IAMSecuntyTokenService; Status Code: 400; Error Code: InvalidldentltyToken)"

A security engineer needs to address the immediate issue and ensure that it will not occur again.

Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

A.

Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity.

B.

During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provider. Generate a new metadata file and upload it to the IAM identity provider entity. Perform automated or manual rotation of the certificate when required.

C.

Download a new copy of the SAML metadata file from the identity provider Upload the new metadata to the IAM identity provider entity configured for the SAML integration in question.

D.

During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provider. Generate a new copy of the metadata file and create a new IAM identity provider entity. Upload the metadata file to the new IAM identity provider entity. Perform automated or manual rotation of the certificate when required.

E.

Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity. Update the identity provider configurations to pass a new IAM identity provider entity name in the SAML assertion.

Full Access
Question # 21

A company has multiple production IAM accounts. Each account has IAM CloudTrail configured to log to a single Amazon S3 bucket in a central account. Two of the production accounts have trails that are not logging anything to the S3 bucket.

Which steps should be taken to troubleshoot the issue? (Choose three.)

A.

Verify that the log file prefix is set to the name of the S3 bucket where the logs should go.

B.

Verify that the S3 bucket policy allows access for CloudTrail from the production IAM account IDs.

C.

Create a new CloudTrail configuration in the account, and configure it to log to the account’s S3 bucket.

D.

Confirm in the CloudTrail Console that each trail is active and healthy.

E.

Open the global CloudTrail configuration in the master account, and verify that the storage location is set to the correct S3 bucket.

F.

Confirm in the CloudTrail Console that the S3 bucket name is set correctly.

Full Access
Question # 22

A Security Engineer noticed an anomaly within a company EC2 instance as shown in the image. The Engineer must now investigate what e causing the anomaly. What are the MOST effective steps to take lo ensure that the instance is not further manipulated while allowing the Engineer to understand what happened?

A.

Remove the instance from the Auto Scaling group Place the instance within an isolation security group, detach the EBS volume launch an EC2 instance with a forensic toolkit and attach the E8S volume to investigate

B.

Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious Instance to perform the Investigation.

C.

Remove the instance from the Auto Scaling group Place the Instance within an isolation security group, launch an EC2 Instance with a forensic toolkit and use the forensic toolkit imago to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance.

D.

Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 Instance with a forensic toolkit and attach the copy of the EBS volume to investigate.

Full Access
Question # 23

The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data.

Pattern:

"randomID_datestamp_PII.csv"

Example:

"1234567_12302017_000-00-0000 csv"

The bucket where these objects are being stored is using server-side encryption (SSE).

Which solution is the most secure and cost-effective option to protect the sensitive data?

A.

Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata.

B.

Add an S3 bucket policy that denies the action s3:GetObject

C.

Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.

D.

Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.

Full Access
Question # 24

A company has several critical applications running on a large fleet of Amazon EC2 instances. As part of a security operations review, the company needs to apply a critical operating system patch to EC2 instances within 24 hours of the patch becoming available from the operating system vendor. The company does not have a patching solution deployed on IAM, but does have IAM Systems Manager configured. The solution must also minimize administrative overhead.

What should a security engineer recommend to meet these requirements?

A.

Create an IAM Config rule defining the patch as a required configuration for EC2 instances.

B.

Use the IAM Systems Manager Run Command to patch affected instances.

C.

Use an IAM Systems Manager Patch Manager predefined baseline to patch affected instances.

D.

Use IAM Systems Manager Session Manager to log in to each affected instance and apply the patch.

Full Access
Question # 25

You are hosting a web site via website hosting on an S3 bucket - http://demo.s3-website-us-east-l .amazonIAM.com. You have some web pages that use Javascript that access resources in another bucket which has web site hosting also enabled. But when users access the web pages , they are getting a blocked Javascript error. How can you rectify this?

Please select:

A.

Enable CORS for the bucket

B.

Enable versioning for the bucket

C.

Enable MFA for the bucket

D.

Enable CRR for the bucket

Full Access
Question # 26

A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards.

The mail application should be configured to connect to which of the following endpoints and corresponding ports?

A.

email.us-east-1.amazonIAM.com over port 8080

B.

email-pop3.us-east-1.amazonIAM.com over port 995

C.

email-smtp.us-east-1.amazonIAM.com over port 587

D.

email-imap.us-east-1.amazonIAM.com over port 993

Full Access
Question # 27

A company uses IAM Organization to manage 50 IAM accounts. The finance staff members log in as IAM IAM users in the FinanceDept IAM account. The staff members need to read the consolidated billing information in the MasterPayer IAM account. They should not be able to view any other resources in the MasterPayer IAM account. IAM access to billing has been enabled in the MasterPayer account.

Which of the following approaches grants the finance staff the permissions they require without granting any unnecessary permissions?

A.

Create an IAM group for the finance users in the FinanceDept account, then attach the IAM managed ReadOnlyAccess IAM policy to the group.

B.

Create an IAM group for the finance users in the MasterPayer account, then attach the IAM managed ReadOnlyAccess IAM policy to the group.

C.

Create an IAM IAM role in the FinanceDept account with the ViewBilling permission, then grant the finance users in the MasterPayer account the permission to assume that role.

D.

Create an IAM IAM role in the MasterPayer account with the ViewBilling permission, then grant the finance users in the FinanceDept account the permission to assume that role.

Full Access
Question # 28

A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements:

  • Each object must be encrypted using a unique key.
  • Items that are stored in the “Restricted” bucket require two-factor authentication for decryption.
  • IAM KMS must automatically rotate encryption keys annually.

Which of the following meets these requirements?

A.

Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the “Restricted” CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.

B.

Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.

C.

Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.

D.

Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the “Restricted” key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.

Full Access
Question # 29

A Security Engineer discovers that developers have been adding rules to security groups that allow SSH and RDP traffic from 0.0.0.0/0 instead of the organization firewall IP.

What is the most efficient way to remediate the risk of this activity?

A.

Delete the internet gateway associated with the VPC.

B.

Use network access control lists to block source IP addresses matching 0.0.0.0/0.

C.

Use a host-based firewall to prevent access from all but the organization’s firewall IP.

D.

Use IAM Config rules to detect 0.0.0.0/0 and invoke an IAM Lambda function to update the security group with the organization's firewall IP.

Full Access
Question # 30

You want to get a list of vulnerabilities for an EC2 Instance as per the guidelines set by the Center of Internet Security. How can you go about doing this?

Please select:

A.

Enable IAM Guard Duty for the Instance

B.

Use IAM Trusted Advisor

C.

Use IAM inspector

D.

UseIAMMacie

Full Access
Question # 31

A company has deployed a custom DNS server in IAM. The Security Engineer wants to ensure that Amazon EC2 instances cannot use the Amazon-provided DNS.

How can the Security Engineer block access to the Amazon-provided DNS in the VPC?

A.

Deny access to the Amazon DNS IP within all security groups.

B.

Add a rule to all network access control lists that deny access to the Amazon DNS IP.

C.

Add a route to all route tables that black holes traffic to the Amazon DNS IP.

D.

Disable DNS resolution within the VPC configuration.

Full Access
Question # 32

A company recently experienced a DDoS attack that prevented its web server from serving content. The website is static and hosts only HTML, CSS, and PDF files that users download.

Based on the architecture shown in the image, what is the BEST way to protect the site against future attacks while minimizing the ongoing operational overhead?

A.

Move all the files to an Amazon S3 bucket. Have the web server serve the files from the S3 bucket.

B.

Launch a second Amazon EC2 instance in a new subnet. Launch an Application Load Balancer in front of both instances.

C.

Launch an Application Load Balancer in front of the EC2 instance. Create an Amazon CloudFront distribution in front of the Application Load Balancer.

D.

Move all the files to an Amazon S3 bucket. Create a CloudFront distribution in front of the bucket and terminate the web server.

Full Access
Question # 33

Your company has an EC2 Instance that is hosted in an IAM VPC. There is a requirement to ensure that logs files from the EC2 Instance are stored accordingly. The access should also be limited for the destination of the log files. How can this be accomplished? Choose 2 answers from the options given below. Each answer forms part of the solution

Please select:

A.

Stream the log files to a separate Cloudtrail trail

B.

Stream the log files to a separate Cloudwatch Log group

C.

Create an IAM policy that gives the desired level of access to the Cloudtrail trail

D.

Create an IAM policy that gives the desired level of access to the Cloudwatch Log group

Full Access
Question # 34

A Security Engineer is defining the logging solution for a newly developed product. Systems Administrators and Developers need to have appropriate access to event log files in IAM CloudTrail to support and troubleshoot the product.

Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.)

A.

Ensure that the log file integrity validation mechanism is enabled.

B.

Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account.

C.

Ensure that Systems Administrators and Developers can edit log files, but prevent any other access.

D.

Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing—but not modifying—the log files.

E.

Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internal corporate network only.

Full Access
Question # 35

During a recent security audit, it was discovered that multiple teams in a large organization have placed restricted data in multiple Amazon S3 buckets, and the data may have been exposed. The auditor has requested that the organization identify all possible objects that contain personally identifiable information (PII) and then determine whether this information has been accessed.

What solution will allow the Security team to complete this request?

A.

Using Amazon Athena, query the impacted S3 buckets by using the PII query identifier function. Then, create a new Amazon CloudWatch metric for Amazon S3 object access to alert when the objects are accessed.

B.

Enable Amazon Macie on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, use the research function for auditing IAM CloudTrail logs and S3 bucket logs for GET operations.

C.

Enable Amazon GuardDuty and enable the PII rule set on the S3 buckets that were impacted, then perform data classification. Using the PII findings report from GuardDuty, query the S3 bucket logs by using Athena for GET operations.

D.

Enable Amazon Inspector on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, query the S3 bucket logs by using Athena for GET operations.

Full Access
Question # 36

A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole. The users then assume an IAM role named JobFunctionRole in the target IAM account (123456789123) to perform their job functions.

A user is unable to assume the IAM role in the target account. The policy attached to the role in the identity account is:

What should be done to enable the user to assume the appropriate role in the target account?

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 37

An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB). It is suspected that the EC2 instance has been compromised.

Which steps should be taken to investigate the suspected compromise? (Choose three.)

A.

Detach the elastic network interface from the EC2 instance.

B.

Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.

C.

Disable any Amazon Route 53 health checks associated with the EC2 instance.

D.

De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.

E.

Attach a security group that has restrictive ingress and egress rules to the EC2 instance.

F.

Add a rule to an IAM WAF to block access to the EC2 instance.

Full Access
Question # 38

An organization wants to deploy a three-tier web application whereby the application servers run on Amazon EC2 instances. These EC2 instances need access to credentials that they will use to authenticate their SQL connections to an Amazon RDS DB instance. Also, IAM Lambda functions must issue queries to the RDS database by using the same database credentials.

The credentials must be stored so that the EC2 instances and the Lambda functions can access them. No other access is allowed. The access logs must record when the credentials were accessed and by whom.

What should the Security Engineer do to meet these requirements?

A.

Store the database credentials in IAM Key Management Service (IAM KMS). Create an IAM role with access to IAM KMS by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.

B.

Store the database credentials in IAM KMS. Create an IAM role with access to KMS by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.

C.

Store the database credentials in IAM Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.

D.

Store the database credentials in IAM Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.

Full Access
Question # 39

A Security Architect is evaluating managed solutions for storage of encryption keys. The requirements are:

-Storage is accessible by using only VPCs.

-Service has tamper-evident controls.

-Access logging is enabled.

-Storage has high availability.

Which of the following services meets these requirements?

A.

Amazon S3 with default encryption

B.

IAM CloudHSM

C.

Amazon DynamoDB with server-side encryption

D.

IAM Systems Manager Parameter Store

Full Access
Question # 40

A water utility company uses a number of Amazon EC2 instances to manage updates to a fleet of 2,000 Internet of Things (IoT) field devices that monitor water quality. These devices each have unique access credentials.

An operational safety policy requires that access to specific credentials is independently auditable.

What is the MOST cost-effective way to manage the storage of credentials?

A.

Use IAM Systems Manager to store the credentials as Secure Strings Parameters. Secure by using an IAM KMS key.

B.

Use IAM Key Management System to store a master key, which is used to encrypt the credentials. The encrypted credentials are stored in an Amazon RDS instance.

C.

Use IAM Secrets Manager to store the credentials.

D.

Store the credentials in a JSON file on Amazon S3 with server-side encryption.

Full Access
Question # 41

A pharmaceutical company has digitized versions of historical prescriptions stored on premises. The company would like to move these prescriptions to IAM and perform analytics on the data in them. Any operation with this data requires that the data be encrypted in transit and at rest.

Which application flow would meet the data protection requirements on IAM?

A.

Digitized files -> Amazon Kinesis Data Analytics

B.

Digitized files -> Amazon Kinesis Data Firehose -> Amazon S3 -> Amazon Athena

C.

Digitized files -> Amazon Kinesis Data Streams -> Kinesis Client Library consumer -> Amazon S3 -> Athena

D.

Digitized files -> Amazon Kinesis Data Firehose -> Amazon Elasticsearch

Full Access
Question # 42

An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK. Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below

Please select:

A.

Add the EC2 instance role as a trusted service to the SSM service role.

B.

Add permission to use the KMS key to decrypt to the SSM service role.

C.

Add permission to read the SSM parameter to the EC2 instance role. .

D.

Add permission to use the KMS key to decrypt to the EC2 instance role

E.

Add the SSM service role as a trusted service to the EC2 instance role.

Full Access
Question # 43

Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB. The company wants to retain full control of the encryption keys.

Which DynamoDB feature should the Engineer use to achieve compliance'?

A.

Use IAM Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB.

B.

Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB

C.

Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing.

D.

Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.

Full Access
Question # 44

What is the function of the following IAM Key Management Service (KMS) key policy attached to a customer master key (CMK)?

A.

The Amazon WorkMail and Amazon SES services have delegated KMS encrypt and decrypt permissions to the ExampleUser principal in the 111122223333 account.

B.

The ExampleUser principal can transparently encrypt and decrypt email exchanges specifically between ExampleUser and IAM.

C.

The CMK is to be used for encrypting and decrypting only when the principal is ExampleUser and the request comes from WorkMail or SES in the specified region.

D.

The key policy allows WorkMail or SES to encrypt or decrypt on behalf of the user for any CMK in the account.

Full Access
Question # 45

A company stores data on an Amazon EBS volume attached to an Amazon EC2 instance. The data is asynchronously replicated to an Amazon S3 bucket. Both the EBS volume and the S3 bucket are encrypted with the same IAM KMS Customer Master Key (CMK). A former employee scheduled a deletion of that CMK before leaving the company.

The company’s Developer Operations department learns about this only after the CMK has been deleted.

Which steps must be taken to address this situation?

A.

Copy the data directly from the EBS encrypted volume before the volume is detached from the EC2 instance.

B.

Recover the data from the EBS encrypted volume using an earlier version of the KMS backing key.

C.

Make a request to IAM Support to recover the S3 encrypted data.

D.

Make a request to IAM Support to restore the deleted CMK, and use it to recover the data.

Full Access
Question # 46

You have just received an email from IAM Support stating that your IAM account might have been compromised. Which of the following steps would you look to carry out immediately. Choose 3 answers from the options below.

Please select:

A.

Change the root account password.

B.

Rotate all IAM access keys

C.

Keep all resources running to avoid disruption

D.

Change the password for all IAM users.

Full Access
Question # 47

An application outputs logs to a text file. The logs must be continuously monitored for security incidents.

Which design will meet the requirements with MINIMUM effort?

A.

Create a scheduled process to copy the component’s logs into Amazon S3. Use S3 events to trigger a Lambda function that updates Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.

B.

Install and configure the Amazon CloudWatch Logs agent on the application’s EC2 instance. Create a CloudWatch metric filter to monitor the application logs. Set up CloudWatch alerts based on the metrics.

C.

Create a scheduled process to copy the application log files to IAM CloudTrail. Use S3 events to trigger Lambda functions that update CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.

D.

Create a file watcher that copies data to Amazon Kinesis when the application writes to the log file. Have Kinesis trigger a Lambda function to update Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.

Full Access
Question # 48

Which of the following are valid event sources that are associated with web access control lists that trigger IAM WAF rules? (Choose two.)

A.

Amazon S3 static web hosting

B.

Amazon CloudFront distribution

C.

Application Load Balancer

D.

Amazon Route 53

E.

VPC Flow Logs

Full Access
Question # 49

A security team is responsible for reviewing IAM API call activity in the cloud environment for security violations. These events must be recorded and retained in a centralized location for both current and future IAM regions.

What is the SIMPLEST way to meet these requirements?

A.

Enable IAM Trusted Advisor security checks in the IAM Console, and report all security incidents for all regions.

B.

Enable IAM CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis.

C.

Enable IAM CloudTrail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage location.

D.

Enable Amazon CloudWatch logging for all IAM services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.

Full Access
Question # 50

The Security Engineer is managing a web application that processes highly sensitive personal information. The application runs on Amazon EC2. The application has strict compliance requirements, which instruct that all incoming traffic to the application is protected from common web exploits and that all outgoing traffic from the EC2 instances is restricted to specific whitelisted URLs.

Which architecture should the Security Engineer use to meet these requirements?

A.

Use IAM Shield to scan inbound traffic for web exploits. Use VPC Flow Logs and IAM Lambda to restrict egress traffic to specific whitelisted URLs.

B.

Use IAM Shield to scan inbound traffic for web exploits. Use a third-party IAM Marketplace solution to restrict egress traffic to specific whitelisted URLs.

C.

Use IAM WAF to scan inbound traffic for web exploits. Use VPC Flow Logs and IAM Lambda to restrict egress traffic to specific whitelisted URLs.

D.

Use IAM WAF to scan inbound traffic for web exploits. Use a third-party IAM Marketplace solution to restrict egress traffic to specific whitelisted URLs.

Full Access
Question # 51

Your CTO is very worried about the security of your IAM account. How best can you prevent hackers from completely hijacking your account?

Please select:

A.

Use short but complex password on the root account and any administrators.

B.

Use IAM IAM Geo-Lock and disallow anyone from logging in except for in your city.

C.

Use MFA on all users and accounts, especially on the root account.

D.

Don't write down or remember the root account password after creating the IAM account.

Full Access
Question # 52

A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:

1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets.

3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other

4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols

5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required

Which of the following accurately reflects the access control mechanisms the Architect should verify1?

A.

Outbound SG configuration on database servers Inbound SG configuration on application servers inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet

B.

Inbound SG configuration on database servers

Outbound SG configuration on application servers

Inbound and outbound network ACL configuration on the database subnet

Inbound and outbound network ACL configuration on the application server subnet

C.

Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet

D.

Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet.

Full Access
Question # 53

A company wants to use Cloudtrail for logging all API activity. They want to segregate the logging of data events and management events. How can this be achieved? Choose 2 answers from the options given below

Please select:

A.

Create one Cloudtrail log group for data events

B.

Create one trail that logs data events to an S3 bucket

C.

Create another trail that logs management events to another S3 bucket

D.

Create another Cloudtrail log group for management events

Full Access
Question # 54

Every application in a company's portfolio has a separate IAM account for development and production. The security team wants to prevent the root user and all IAM users in the production accounts from accessing a specific set of unneeded services. How can they control this functionality?

Please select:

A.

Create a Service Control Policy that denies access to the services. Assemble all production accounts in an organizational unit. Apply the policy to that organizational unit.

B.

Create a Service Control Policy that denies access to the services. Apply the policy to the root account.

C.

Create an IAM policy that denies access to the services. Associate the policy with an IAM group and enlist all users and the root users in this group.

D.

Create an IAM policy that denies access to the services. Create a Config Rule that checks that all users have the policy m assigned. Trigger a Lambda function that adds the policy when found missing.

Full Access
Question # 55

A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.

Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

A.

Create an IAM Config rule to detect the creation of unencrypted RDS databases. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the IAM Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

B.

Use IAM System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

C.

Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.

D.

Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.

E.

Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database

Full Access
Question # 56

Your company has been using IAM for hosting EC2 Instances for their web and database applications. They want to have a compliance check to see the following

Whether any ports are left open other than admin ones like SSH and RDP

Whether any ports to the database server other than ones from the web server security group are open Which of the following can help achieve this in the easiest way possible. You don't want to carry out an extra configuration changes?

Please select:

A.

IAM Config

B.

IAM Trusted Advisor

C.

IAM Inspector D.IAMGuardDuty

Full Access
Question # 57

You are planning to use IAM Configto check the configuration of the resources in your IAM account. You are planning on using an existing IAM role and using it for the IAM Config resource. Which of the following is required to ensure the IAM config service can work as required?

Please select:

A.

Ensure that there is a trust policy in place for the IAM Config service within the role

B.

Ensure that there is a grant policy in place for the IAM Config service within the role

C.

Ensure that there is a user policy in place for the IAM Config service within the role

D.

Ensure that there is a group policy in place for the IAM Config service within the role

Full Access
Question # 58

A company has an existing IAM account and a set of critical resources hosted in that account. The employee who was in-charge of the root account has left the company. What must be now done to secure the account. Choose 3 answers from the options given below.

Please select:

A.

Change the access keys for all IAM users.

B.

Delete all custom created IAM policies

C.

Delete the access keys for the root account

D.

Confirm MFAtoa secure device

E.

Change the password for the root account

F.

Change the password for all IAM users

Full Access
Question # 59

A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company's security team However, an audit revealed that an API key is steed with the source code of an IAM Lambda function m an IAM CodeCommit repository in the DevOps account

How should the security learn securely store the API key?

A.

Create a CodeCommit repository in the security account using IAM Key Management Service (IAM KMS) tor encryption Require the development team to migrate the Lambda source code to this repository

B.

Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Create a resigned URL tor the S3 key. and specify the URL m a Lambda environmental variable in the IAM CloudFormation template Update the Lambda function code to retrieve the key using the URL and call the API

C.

Create a secret in IAM Secrets Manager in the security account to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API

D.

Create an encrypted environment variable for the Lambda function to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime

Full Access
Question # 60

You have just developed a new mobile application that handles analytics workloads on large scale datasets that are stored on Amazon Redshift. Consequently, the application needs to access Amazon Redshift tables. Which of the belov methods would be the best both practically and security-wise, to access the tables? Choose the correct answer from the options below

Please select:

A.

Create an IAM user and generate encryption keys for that user. Create a policy for Redshift read-only access. Embed th keys in the application.

B.

Create an HSM client certificate in Redshift and authenticate using this certificate.

C.

Create a Redshift read-only access policy in IAM and embed those credentials in the application.

D.

Use roles that allow a web identity federated user to assume a role that allows access to the Redshift table by providing temporary credentials.

Full Access
Question # 61

A customer has an instance hosted in the IAM Public Cloud. The VPC and subnet used to host the Instance have been created with the default settings for the Network Access Control Lists. They need to provide an IT Administrator secure access to the underlying instance. How can this be accomplished.

Please select:

A.

Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrator's Workstation

B.

Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrator's Workstation

C.

Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation

D.

Ensure that the security group allows Outbound SSH traffic from the IT Administrator's Workstation

Full Access
Question # 62

Your company has a set of EC2 Instances defined in IAM. They need to ensure that all traffic packets are monitored and inspected for any security threats. How can this be achieved? Choose 2 answers from the options given below

Please select:

A.

Use a host based intrusion detection system

B.

Use a third party firewall installed on a central EC2 instance

C.

Use VPC Flow logs

D.

Use Network Access control lists logging

Full Access
Question # 63

Your company manages thousands of EC2 Instances. There is a mandate to ensure that all servers don't have any critical security flIAM. Which of the following can be done to ensure this? Choose 2 answers from the options given below.

Please select:

A.

Use IAM Config to ensure that the servers have no critical flIAM.

B.

Use IAM inspector to ensure that the servers have no critical flIAM.

C.

Use IAM inspector to patch the servers

D.

Use IAM SSM to patch the servers

Full Access
Question # 64

You currently operate a web application In the IAM US-East region. The application runs on an auto-scaled layer of EC2 instances and an RDS Multi-AZ database. Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track changes made to your EC2.IAM and RDS resources. The solution must ensure the integrity and confidentiality of your log data. Which of these solutions would you recommend?

Please select:

A.

Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles S3 bucket policies and Mufti Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.

B.

Create a new CloudTrail with one new S3 bucket to store the logs. Configure SNS to send log file delivery notifications to your management system. Use IAM roles and S3 bucket policies on the S3 bucket that stores your logs.

C.

Create a new CloudTrail trail with an existing S3 bucket to store the logs and with the global services option selected. Use S3 ACLsand Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.

D.

Create three new CloudTrail trails with three new S3 buckets to store the logs one for the IAM Management console, one for IAM SDKs and one for command line tools. Use IAM roles and S3 bucket policies on the S3 buckets that store your logs.

Full Access
Question # 65

A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on IAM.

Which combination of IAM services and features will provide protection in this scenario? (Select THREE).

A.

Amazon Route 53

B.

IAM Certificate Manager (ACM)

C.

Amazon S3

D.

IAM Shield

E.

Elastic Load Balancer

F.

Amazon GuardDuty

Full Access
Question # 66

A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2 The solution must perform real-time analytics on the togs must support the replay of messages and must persist the logs.

Which IAM services should be used to meet these requirements? (Select TWO)

A.

Amazon Athena

B.

Amazon Kinesis

C.

Amazon SQS

D.

Amazon Elasticsearch

E.

Amazon EMR

Full Access
Question # 67

DDoS attacks that happen at the application layer commonly target web applications with lower volumes of traffic compared to infrastructure attacks. To mitigate these types of attacks, you should probably want to include a WAF (Web Application Firewall) as part of your infrastructure. To inspect all HTTP requests, WAFs sit in-line with your application traffic. Unfortunately, this creates a scenario where WAFs can become a point of failure or bottleneck. To mitigate this problem, you need the ability to run multiple WAFs on demand during traffic spikes. This type of scaling for WAF is done via a "WAF sandwich." Which of the following statements best describes what a "WAF sandwich" is? Choose the correct answer from the options below

Please select:

A.

The EC2 instance running your WAF software is placed between your private subnets and any NATed connections to the internet.

B.

The EC2 instance running your WAF software is placed between your public subnets and your Internet Gateway.

C.

The EC2 instance running your WAF software is placed between your public subnets and your private subnets.

D.

The EC2 instance running your WAF software is included in an Auto Scaling group and placed in between two Elastic load balancers.

Full Access
Question # 68

A company's security team is building a solution for logging and visualization. The solution will assist the company with the large variety and velocity of data that it receives from IAM across multiple accounts. The security team has enabled IAM CloudTrail and VPC Flow Logs in all of its accounts In addition, the company has an organization in IAM Organizations and has an IAM Security Hub master account.

The security team wants to use Amazon Detective However the security team cannot enable Detective and is unsure why

What must the security team do to enable Detective?

A.

Enable Amazon Macie so that Secunty H jb will allow Detective to process findings from Macie.

B.

Disable IAM Key Management Service (IAM KMS) encryption on CtoudTrail logs in every member account of the organization

C.

Enable Amazon GuardDuty on all member accounts Try to enable Detective in 48 hours

D.

Ensure that the principal that launches Detective has the organizations ListAccounts permission

Full Access
Question # 69

You want to track access requests for a particular S3 bucket. How can you achieve this in the easiest possible way?

Please select:

A.

Enable server access logging for the bucket

B.

Enable Cloudwatch metrics for the bucket

C.

Enable Cloudwatch logs for the bucket

D.

Enable IAM Config for the S3 bucket

Full Access
Question # 70

A company is using IAM Organizations. The company wants to restrict IAM usage to the eu-west-1 Region for all accounts under an OU that is named "development." The solution must persist restrictions to existing and new IAM accounts under the development OU.

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 71

A company's Security Auditor discovers that users are able to assume roles without using multi-factor authentication (MFA). An example of a current policy being applied to these users is as follows:

The Security Auditor finds that the users who are able to assume roles without MFA are alt coming from the IAM CLI. These users are using long-term IAM credentials. Which changes should a Security Engineer implement to resolve this security issue? (Select TWO.)

A)

B)

C)

D)

E)

A.

Option A

B.

Option B

C.

Option C

D.

Option D

E.

Option E

Full Access
Question # 72

A company has multiple Amazon S3 buckets encrypted with customer-managed CMKs Due to regulatory requirements the keys must be rotated every year. The company's Security Engineer has enabled automatic key rotation for the CMKs; however the company wants to verity that the rotation has occurred.

What should the Security Engineer do to accomplish this?

A.

Filter IAM CloudTrail logs for KeyRotaton events

B.

Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events

C.

Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date

D.

Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filter Generate New Key events

Full Access
Question # 73

An organization must establish the ability to delete an IAM KMS Customer Master Key (CMK) within a 24-hour timeframe to keep it from being used for encrypt or decrypt operations Which of tne following actions will address this requirement?

A.

Manually rotate a key within KMS to create a new CMK immediately

B.

Use the KMS import key functionality to execute a delete key operation

C.

Use the schedule key deletion function within KMS to specify the minimum wait period for deletion

D.

Change the KMS CMK alias to immediately prevent any services from using the CMK.

Full Access
Question # 74

Your company has a set of 1000 EC2 Instances defined in an IAM Account. They want to effectively automate several administrative tasks on these instances. Which of the following would be an effective way to achieve this?

Please select:

A.

Use the IAM Systems Manager Parameter Store

B.

Use the IAM Systems Manager Run Command

C.

Use the IAM Inspector

D.

Use IAM Config

Full Access
Question # 75

The CFO of a company wants to allow one of his employees to view only the IAM usage report page. Which of the below mentioned IAM policy statements allows the user to have access to the IAM usage report page?

Please select:

A.

"Effect": "Allow". "Action": ["Describe"], "Resource": "Billing"

B.

"Effect": "Allow", "Action": ["AccountUsage], "Resource": "*"

C.

"Effect': "Allow", "Action": ["IAM-portal:ViewUsage"," IAM-portal:ViewBilling"], "Resource": "*"

D.

"Effect": "Allow", "Action": ["IAM-portal: ViewBilling"], "Resource": "*"

Full Access
Question # 76

An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise's account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following would meet all of these conditions?

Please select:

A.

From the IAM Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.

B.

Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application. Create a new access and secret key for the user and provide these credentials to the SaaS provider.

C.

Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.

D.

Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARN to the SaaS provider to use when launching their application instances.

Full Access